CLC#003: IoT Access-as-a-Service
Cyber Lunarium Commission #003:
The Cyber Lunarium Commission was established to propose novel approaches to United States cyber strategy grounded in technical and operational realities. The commissioners of the CLC “moonlight” in cyber policy, drawing upon their experiences in government, military, industry, and academia.
In CLC#001, the Cyber Lunarium Commission introduced cyber letters of marque (CLoM), and in CLC#002 explored the application of these tools to counter-ISIL cyber operations. This publication, CLC#003, will further expand upon the “access-as-a-service” (AaaS) concept discussed in these previous publications, applying it to the challenges of acquiring and managing access to internet of things (IoT) devices (i.e., home routers, webcams, smart lightbulbs, etc).
The IoT Tax
The proliferation of IoT devices worldwide creates unique challenges for cyber operations. IoT presents operators with a planetary-scale range of “low-hanging fruit” targets, all trivially easy to exploit, but each unique. The modern operating environment, characterized by hardened mainstream platforms (Windows 10 with Hyper-V, iOS with silicon-based mitigations, Android with sanitizers baked-in at compile-time etc) and heterogenous IoT devices is in many ways like the classic internet meme of asking people if they’d rather fight “100 duck-sized horses” (IoT) or “one horse-sized duck” (a modern phone). Where attacking a modern phone may take a “chain” of seven vulnerabilities which cost millions, developing exploits for IoT devices is the work of novice college students over summer internships in government and the offensive cyber industry.
IoT’s unique hardware and software architectures already present low level distractions to technical talent. Developing and maintaining IoT access capabilities will require continual analysis with bespoke tools and maintenance of these tools themselves, e.g., Ghidra modules for obscure architectures, offset finders for firmware ROP gadgets, etc. Testing is challenged by the need for access to physical devices, though research into “re-hosting” may provide promising alternatives to this issue. Even obtaining physical devices will become challenging, as adversary nations increasingly invest in indigenous technology stacks (e.g. China’s Longsoon CPUs), and procurement will require physical presence in adversary territory in an increasingly contested human intelligence operating environment.
On the operational front, managing large numbers of devices, deconflicting accesses with allied actors, and ensuring covertness and exclusivity in the face of adversary analysis will present challenges.
In many ways, the need to maintain capabilities against IoT devices will become a “tax” on national ability to operate in cyberspace. On the brighter side, there are genuine opportunities to unlock new operational concepts that will emerge as access scales and points-of-presence multiply.
Cyber Letters of Marque for IoT Operations
While 0-day exploit “brokers” continue to grab headlines, a market for managed operations and AaaS offerings is quietly emerging. Given the large scale challenge of developing access capabilities for IoT devices, compromising these devices, and then administering these accesses, these operations would be a perfect fit for CLoM-based outsourcing.
While agencies seeking IoT access could simply purchase exploits for these devices, in-house developers and operators would still be required to integrate and operate with these capabilities. AaaS could free the national cyber workforce to focus on the hard problems in technical R&D, operations, and mission management which matter most. IoT AaaS operations would require government payment, and would not be self-funding as in many traditional maritime LoM operations.
A variety of operating concepts for outsourced IoT operations are possible, including commodity accesses, regional accesses, or specific device / technical accesses. In the simplest concept, commodity access, accesses to IoT devices can be sold at scale - for example, suppliers would be compensated for every thousand devices compromised and made accessible through an agreed upon technical scheme (e.g., login credentials). Regional accesses could be sold at a premium, e.g., only devices in south-east Asia. Finally, access to specific brands or classes of IoT devices could also be sold.
Criminal sales of IoT botnets have proven that these IoT AaaS models work from technical and economic standpoints - in this case, CLoMs would provide the legal basis to allow companies to legally pursue this work.
In additional to simply providing commodity access (“shells”) on compromised IoT devices, IoT accesses could also be leveraged for on-demand offensive effects - e.g., botnet-style DDoS attacks, mass-scale brickings, removal of adversary code colocated on-device, etc.
Botnet takedowns, a rare area of proud public-private partnership could also benefit from CLoM authorities for IoT operations. These takedowns are often conducted by law enforcement working in conjunction with private threat intelligence firms, large tech companies, and network operators to conduct offensive counter-cyber operations defend forward. Congressional authority for granting CLoMs could create a legally sanctioned cutout for activity that already happens, often in legal gray areas without much transparency for lawmakers.
Privatized IoT operations would have to be regulated to ensure that devices in the US and designated ally countries are not targeted, but other than this there are unlikely to be many escalatory or legal challenges to outsourcing these operations. IoT exploits are usually low-risk and unlikely to damage devices. Additionally, exploitation of IoT devices is difficult to detect by device owners - though foreign intelligence agencies may be able to.
Unlike other CLoM operating concepts explored in this series which involve allowing private operators to conduct operations against specific targets, IoT AaaS CLoMs would entail light touch operations more broadly targeting civilian devices worldwide. These operations present more risk of affecting American or allied populations, so oversight would be crucial. Congressional and other federal oversight would ensure validity of targeting and operations, and strict punishment would have to be administered to CLoM holders operating outside of legal boundaries.
Targeting civilian devices in friendly countries (but not necessarily say, FVEY) could be seen as politically or diplomatically controversial - particularly among EU countries concerned with maintaining cyber pax post-Snowden. While these concerns may be valid, they are often offered in classic continental bad faith, by EU policymakers willfully discounting offensive proliferation issues within their own borders, or worse, kept in the dark by their foreign intelligence services. To assuage concerns, authorization for private CLoM operations could be limited to only certain countries, sectors, etc.
The use of the CLoM legal vehicle is important as it provides a way to keep Congress abreast of developments in cyber operating concepts - and to provide them with the ability to regulate these operations. While existing statutes require Congressional notification of “Sensitive Military Cyber Operations” (SMCOs) building upon long standing frameworks for notification of covert action, simple IoT access operations would occur far below the threshold of constituting SMCO - more DEFCON than Stuxnet.
Limited CLoM-approved attack scenarios could be handled on an ad hoc legal basis, but they would likely be focused for specific goals, e.g., shutting down a particular government’s networks.
In the modern cyber operating environment, IoT will become a persistent “tax” on operations. The CLoM concept provides a helpful tool which could be used to enable government operators to externalize authority for conducting these operations to approved contractors, allowing for better mission efficiency with government.